I seem to have a major problem with wuftpd version wu-2.4, in that if a specific sequence of steps is taken, the user's password is logged to /var/adm/messages, wtmp, and to the screen. This is happening under SunOS 4.1.3 with shadow passwords. I _cannot_ duplicate this behavior under SunOS 4.1.3_U1 without the shadow passwords. The steps that cause this are as follows: - There is an initial failed login by some "non-allowed" user. - Then, while still connected, the command: "user realuser" is entered. (where "realuser" is a user in one of the guestgroups.) - The password is then entered, and the user is allowed in. However, the user's password is displayed in /var/adm/messages, wtmp, and to the console in the "User XXXXXXXX logged in." message. (where "XXXXXXXX" is the user's password instead of their userid.) I've included the output of this session at the bottom of this message, in the hopes that it might prove useful. I'm stumped without digging through the code, which I'd prefer not to do. Has anyone else experienced this behavior? Thanks for any help/advice. -DaVe mccomb@interport.net http://www.interport.net/~mccomb --------------- host01(~)> /usr/ucb/ftp host00 Connected to host00.bogus.com. 220-************************************************************************** 220- 220- ONLY AUTHORIZED USE OF THIS SYSTEM IS PERMITTED. THE USER CONSENTS TO 220- THE MONITORING OF THE SYSTEM BY SYSTEM MANAGEMENT TO ASSURE ALL SYSTEM 220- USE IS AUTHORIZED AND TO ASSURE EFFICIENT OPERATION OF THE SYSTEM. 220- 220-************************************************************************** 220- 220 host00 FTP server (Version wu-2.4(1) Wed Mar 15 17:04:32 EST 1995) ready. Name (host00:mccomb): ftp 530 User ftp access denied. Login failed. ftp> user realuser 331 Password required for realuser. Password: 230-************************************************************************** 230- 230- Local time is Wed Mar 15 17:08:27 1995. 230- 230-************************************************************************** 230- 230 User XXXXXXXX logged in. Access restrictions apply. ftp> quit 221 Goodbye. Where "XXXXXXXX" above is the user's password and not their user ID! --------------- And, in /var/adm/messages: Mar 15 17:18:41 host00 ftpd[9100]: connection from host01 [xxx.xx.x.xxx] Mar 15 17:18:43 host00 ftpd[9100]: FTP LOGIN REFUSED (name in /usr/local/etc/ftphosts) FROM host01 [xxx.xx.x.xxx], ftp Mar 15 17:18:43 host00 ftpd[9100]: USER ftp Mar 15 17:18:46 host00 ftpd[9100]: USER realuser Mar 15 17:18:49 host00 ftpd[9100]: PASS password Mar 15 17:18:49 host00 ftpd[9100]: FTP LOGIN FROM host01 [xxx.xx.x.xxx], XXXXXXXX Mar 13 17:18:52 host00 ftpd[9100]: QUIT Mar 15 17:18:52 host00 ftpd[9100]: FTP session closed Where "XXXXXXXX" once again is the user's password, not userid. --------------- >From /etc/inetd.conf: ftp stream tcp nowait root /usr/local/etc/tcpd /usr/local/etc/ftpd -dl --------------